Connected Rental Cars Leak Personal Driver Data

Car rental companies in the US, UK and Europe aren’t doing enough to protect consumer privacy, with none of the firms contacted by Privacy International (PI) able to provide clear internal policies on handling drivers’ personal data.

The rights group contacted rental companies and car share schemes in continental Europe, the UK, and US to compile its latest report,Connected Cars: What Happens To Our Data On Rental Cars?

It rented a series of connected cars and analyzed the data collected by the vehicle’s infotainment system. Personal info on past drivers and their passengers was found in every single car.

This included data on past locations, smart phone identifier and entered locations, including a school.

The report explained:

“Seems fairly innocuous? Wrong. Your name and navigation history is valuable personal information. The UK Metropolitan Polices’ 'Digital Control Strategy' identifies infotainment systems in cars, which store this information, as a new forensic opportunity. Combine this information with a bit of open source intelligence, such as social media profiles, and you can track down individuals.”

It gets worse. None of the rental companies and car-share schemes contacted by Privacy International had clear internal policies about how to handle all of this personal information.

Of those that responded to the rights group, all referred the group to terms and conditions which state it is the driver’s responsibility to delete their own data prior to returning the car.

The problem with this is that although some vehicles give drivers the ability to “factory reset” the controls, it’s often hard to locate and is unclear what information is actually deleted, according to Privacy International.

Only one rental company told the group it’s planning to create an internal policy on deleting driver information, as part of compliance with the EU General Data Protection Regulation (GDPR).

Privacy International wants the companies to provide clear instructions to users on how to delete their data — providing a simple delete button to expunge all personal information.

It also argued that these companies should follow GDPR principles of data minimisation, privacy-by-design and data protection, and only process personal data with the unambiguous consent of the subject or if strictly necessary for the delivery of the service.

“When we hire a car, the last thing on our mind is the data we are potentially giving away to companies, manufacturers, and the next driver. However, internet-connected cars know our current location, patterns of movement, connect to our smartphones to download our contacts and messages, may collect our browsing habits and know our music taste. The volume of data collected by infotainment systems and telematics units is growing,” argued PI solicitor, Millie Graham Wood.

“This report shows how basic information, which could identify who we are and where we go, is currently left open and accessible to everyone, on cars used by popular rental companies. We encourage individuals who see someone's data on the car to report it to the company."

Privacy International has been joined by various other rights groups including ANEC, Consumer Action, Consumer Federation of America, and the Norwegian Consumer Council in writing to the rental companies and car schemes.